ESAs consult on the first batch of DORA policy products

The ESAs have initiated a consultation on the first batch of policy products under DORA. The consultation includes four draft RTS and one set of draft ITS. These technical standards aim to establish a consistent and harmonized legal framework in the areas of ICT risk management, major ICT-related incident reporting, and ICT third-party risk management.
Under DORA, the ESAs have been mandated to jointly develop a total of 13 policy instruments in two batches. The first batch of technical standards, on which the ESAs have launched a public consultation, consists of four draft RTS and one draft ITS:
– JC 2023 34 discusses the draft RTS for the classification of ICT-related incidents (Art.18(3) DORA), materiality thresholds for major incidents, and significant cyber threats under DORA. The objective is to harmonize and streamline incident reporting for financial entities in the EU.
– JC 2023 35 discusses the draft RTS for financial entities to manage ICT third-party risk (Art.28(10) DORA). The standards aim to specify the detailed content of the policy on the use of ICT services supporting critical or important functions provided by third-party service providers. Financial entities should perform risk assessments, due diligence, and maintain control over operational risks, information security, and business continuity throughout the contractual arrangements.
– JC 2023 36 discusses the draft ITS for establishing a register of information on contractual arrangements related to the use of ICT services by third-party providers in the financial sector (Art.28(9) DORA). The purpose is to monitor ICT third-party risk and support effective supervision. The paper includes templates for the register of information, which aim to capture essential details and promote consistency. The templates cover contractual arrangements, ICT service supply chains, identification of service providers and functions, and assessments of ICT services.
– JC 2023 39 discusses two draft RTS for harmonizing ICT risk management in the financial sector (Regular (Art.15 DORA) and simplified (Art.16(3) DORA). It covers areas such as security policies, access control, incident detection and response, business continuity management, and reporting.
DORA, which came into force on 16 January 2023, and will be applicable from 17 January 2025, aims to enhance the digital operational resilience of entities in the EU financial sector and promote harmonization of key digital operational resilience requirements for all EU financial entities. The regulatory framework covers areas such as ICT risk management, ICT-related incident management and reporting, digital operational resilience testing, and the management of ICT third-party risk.
The ESAs, along with other relevant authorities, are working together to ensure a cross-sectoral and harmonized approach in developing the level 2 legislation for DORA. The second batch of policy products is expected to undergo consultation by the end of 2023.